ConfigurationRecorder - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Records configuration changes to specified resource types. For more information about the configuration recorder, see Managing the Configuration Recorder in the Amazon Config Developer Guide.



The name of the configuration recorder. Amazon Config automatically assigns the name of "default" when creating the configuration recorder.

You cannot change the name of the configuration recorder after it has been created. To change the configuration recorder name, you must delete it and create a new configuration recorder with a new name.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No


Specifies which resource types Amazon Config records for configuration changes.


High Number of Amazon Config Evaluations

You may notice increased activity in your account during your initial month recording with Amazon Config when compared to subsequent months. During the initial bootstrapping process, Amazon Config runs evaluations on all the resources in your account that you have selected for Amazon Config to record.

If you are running ephemeral workloads, you may see increased activity from Amazon Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Amazon Auto Scaling. If you want to avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with Amazon Config turned off to avoid increased configuration recording and rule evaluations.

Type: RecordingGroup object

Required: No


Amazon Resource Name (ARN) of the IAM role assumed by Amazon Config and used by the configuration recorder.


While the API model does not require this field, the server will reject a request without a defined roleARN for the configuration recorder.


Pre-existing Amazon Config role

If you have used an Amazon service that uses Amazon Config, such as Amazon Security Hub or Amazon Control Tower, and an Amazon Config role has already been created, make sure that the IAM role that you use when setting up Amazon Config keeps the same minimum permissions as the already created Amazon Config role. You must do this so that the other Amazon service continues to run as expected.

For example, if Amazon Control Tower has an IAM role that allows Amazon Config to read Amazon Simple Storage Service (Amazon S3) objects, make sure that the same permissions are granted within the IAM role you use when setting up Amazon Config. Otherwise, it may interfere with how Amazon Control Tower operates. For more information about IAM roles for Amazon Config, see Identity and Access Management for Amazon Config in the Amazon Config Developer Guide.

Type: String

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: